Click to Pay - Integration guide for Issuers In Verestro, we introduced Click to Pay card enrollment as a seperate feature in our Token Management Platform. It's possible to implement it within 2-3 months as a standalone integration or even quicker, if you are already using our TMP for MDES/VTS tokenizations. In this guide, we show how to implement Click to Pay enrollment using Verestro TMP API, to improve the digital banking experience for your cardholders. Just as every document in Token Management Platform book, below chapters are addressed to issuers and focused on issuer's perspective. For more general information on click to pay, please refer to Articles. Business Overview Click to Pay is a universal online checkout standard developed jointly by the four major global payment networks — Visa, Mastercard, American Express, and Discover — under the governance of EMVCo. Since it's launch, it has been adopted by thousands of merchants, issuers, and wallet providers worldwide. At its core, Click to Pay abstracts the consumer's Primary Account Number (PAN) behind a secure network token, enabling merchants to process payments without ever handling raw card data. When a consumer checks out using Click to Pay, their enrolled card credentials are retrieved from the Secure Remote Commerce (SRC) system and delivered to the merchant as a payment token, authorized for that specific transaction. All Click to Pay solutions are indicated by the Click to Pay icon  . Why Click to Pay Enrollment Matters to Issuers For a cardholder to use Click to Pay at checkout, their card must first be enrolled in the relevant SRC System. Without enrollment, the card is invisible to Click to Pay and cannot be presented during checkout — even if the network supports it in principle. Issuers drive enrollment. They are the only party that holds the verified cardholder identity, the authoritative card data, and the customer relationship needed to enroll credentials on behalf of or with consent from the cardholder. The Token Management Platform acts as the issuer's API gateway into the Visa SRC and Mastercard MDES systems. Enrollment possibilities Description Business comment Technical requirements Automated, user initiated via available issuer channel Card credential and personal data are pushed automatically, after accepting T&C’s by the user. Convenient flow, with experience similar to xPay push provisioning. Cardholder intentionally enrolls a card and is thus aware of possibility to use C2P.   Recommended implementation.   Verestro TMP API (including  Synchronous card enrollment endpoint ), Visa SRC / MDES for Digital Commerce integration Automated, issuer initiated Card credential and personal data are pushed automatically, without user additional engagement. C2P T&C’s are usually part of issuer’s T&C and consent is given during card activation. Very convenient flow, with minimal user engagement. Although it’s recommended by TSPs, cardholders may not be aware that their card has been pushed to C2P. This flow can also be used for card migrations and bulk enrollments.     Recommended for migrations.   Verestro TMP API (including  Bulk card enrollment endpoint ),   Visa SRC / MDES for Digital Commerce integration Manually, via Merchant’s Payment Gateway Cardholder needs to manually type card credentials, personal data and accept T&C’s during ecommerce payment. This flow requires significant friction and may result in cart abandonment. Convenient for issuers, as works out of the box, assuming MDES/VTS are integrated. Less popular with cardholders.   Verestro TMP API,   VTS / MDES integration Manually, via TSP website Cardholder needs to register to click to pay via TSP website and manually type card credentials, personal data and accept T&C’s. This flow requires not only a lot of effort from the cardholder, but also knowledge about existence of such websites. Convenient for issuers, as works out of the box, assuming MDES/VTS are integrated. Least popular with cardholders. Verestro TMP API, VTS / MDES integration The Token Management Platform as the Issuer's API Gateway Rather than integrating directly with Visa SRC and Mastercard MDES APIs separately — each with distinct authentication, schemas, and lifecycle models — the issuer connects to a single Token Management Platform. The TMP normalises both networks behind a unified REST API, handles routing to the correct SRCS based on card BIN, manages token lifecycle and provides reporting. Use Cases What Enrollment Creates Enrolling a card into Click to Pay creates two linked artefacts within the TSP's SRC System: • A Consumer Profile (SRC Profile): Tied to the cardholder's verified identity (email address and/or phone number). A single consumer profile can hold multiple enrolled cards across multiple networks. • A Token (Network Token / DPAN): A surrogate value that replaces the PAN for use at Click to Pay checkout. The token is domain-controlled — it is only usable in the SRC context and is bound to the consumer's profile. From an issuer's perspective, enrollment is the act of provisioning the cardholder's PAN and identity into the TMP API, which in turn creates or updates the SRC Profile and requests token issuance from the relevant network SRCS. Available Enrollment Channels An issuer may offer Click to Pay enrollment through any or all of the following channels. The TMP API is the same regardless of channel; the channel determines how the cardholder's identity is verified and consent is captured before the API call is made. Channel Description Typical Consent Mechanism Mobile Banking App (user initiated) Cardholder opts in via the issuer's iOS or Android app. In-app consent screen + biometric or PIN confirmation.   Channel supported by synchronous card enrollment endpoint. Internet web banking (user initiated) Cardholder opts in via the issuer's online banking portal Web consent form + OTP or step-up authentication   Channel supported by synchronous card enrollment endpoint. Card management portal (user initiated) Standalone issuer-hosted portal for card services Portal login + SMS OTP or email OTP   Channel supported by synchronous card enrollment endpoint. No UI, auto enrollment  (issuer initiated) Issuer pushes enrollment without a real-time cardholder session Prior consent captured (T&Cs presented alongside card activation, opt-in campaign, card issuance agreement)     Channel supported by asynchronous bulk enrollment endpoint. Identity Verification and Authentication Requirements The SRC specification requires that a cardholder's identity be verified before their card is enrolled. This is the issuer's responsibility. The TMP carries the verified identity attributes in the enrollment request payload but does not perform identity verification itself. • For user-initiated flows: The issuer's banking application must authenticate the cardholder (e.g., via app PIN, biometric, or step-up OTP) before submitting the enrollment API request. The authentication assurance level must meet the network's minimum requirement. • For issuer-initiated async flows: The issuer must hold a record of prior consent. This is typically captured at card issuance via terms and conditions, an explicit opt-in campaign, or a standing mandate. Regulatory requirements (e.g., GDPR, PSD2) govern the validity of this prior consent. How to Implement User Initiated Enrollment Sequence diagram, happy path   API Documentation API technical documentation can be found on:  TMP API and Issuer API pages. Details may differ, depending on implementation approach, but core APIs are: TMP API: POST /issuer/push-provisioning/c2p   Issuer mobile app backend calls Verestro TMP to enroll a card to Click 2 pay. TMP API:  POST /issuer/push-provisioning/tokens/searches Issuer mobile app backend calls Verestro TMP to check existing token statuses and display or hide "Add to Click to Pay" button in mobile application for better user experience, base on the response. If the card has active Click to Pay token, user shouldn't be able to click "Add to Click to Pay" button.  ISSUER API:  POST /card-verifications Verestro TMP will call Issuer/Processor Card Management System to verify card details and status during predigitization, after enrollment initiation. TMP API: POST /issuer/v2/card-events Card Management System (issuer or processor) calls Verestro TMP to keep us synchronised with token status in MDES/VTS. TMP also performs token lifecycle actions in MDES/VTS, basing on this request.